Bucharest Court of Appeal orders the replacement of EUR 7,000 GDPR fines with warning


On June 25, the Bucharest Court of Appeal partially admitted the appeal filed by a Homeowner Association and ruled that the fines imposed by the Romanian data protection authority (Romanian DPA) are to be replaced with warning.

The background of this case:  On 20 June 2022, the Romanian DPA sanctioned a Homeowner Association with two fines amounting to EUR 7,000 for non-compliance with the GDPR principles after receiving a complaint about excessive data collection for access control in a residential complex. The investigation revealed, amongst others, that the Homeowner Association, under a security contract, collected personal data such as name, surname, series and number of identity card, destination, time of arrival, time of departure, remarks, exclusively for delivery and/or courier services without a valid legal basis and without adequate information, as well as retained video surveillance data longer than necessary.

In addition to the fines, the DPA ordered the association to update its data protection measures, set appropriate data retention limits, and ensure compliance with GDPR principles, focusing on data minimization and proportionality. (See our complete summary here.)

The ruling of Bucharest Court of Appeal is final.

Following this solution, we are waiting for the reasons underlying the Bucharest Court of Appeal’s decision.